Mounting Secrets

To mount confidential data into your workspaces, use Kubernetes Secrets.

Using Kubernetes Secrets, you can mount usernames, passwords, SSH key pairs, authentication tokens (for example, for AWS), and sensitive configurations.

Mount Kubernetes Secrets to the DevWorkspace containers in the Kubernetes cluster of your organization’s Che instance.

  • An active kubectl session with administrative permissions to the destination Kubernetes cluster. See Overview of kubectl.

  • In your user namespace, you created a new Secret or determined an existing Secret to mount to all DevWorkspace containers.

  1. Add the labels, which are required for mounting the Secret, to the Secret.

    $ kubectl label secret <Secret_name> \
  2. Optional: Use the annotations to configure how the Secret is mounted.

    Table 1. Optional annotations
    Annotation Description

    Specifies the mount path.

    Defaults to /etc/secret/<Secret_name>.

    Specifies how the resource should be mounted: file, subpath, or env.

    Defaults to file.

    mount-as: file mounts the keys and values as files within the mount path.

    mount-as: subpath mounts the keys and values within the mount path using subpath volume mounts.

    mount-as: env mounts the keys and values as environment variables in all DevWorkspace containers.

Example 1. Mounting a Secret as a file
apiVersion: v1
kind: Secret
  name: mvn-settings-secret
  labels: 'true' 'true'
  annotations: '/home/user/.m2'
  settings.xml: <Base64_encoded_content>

When you start a workspace, the /home/user/.m2/settings.xml file will be available in the DevWorkspace containers.

With Maven, you can set a custom path for the settings.xml file. For example:

$ mvn --settings /home/user/.m2/settings.xml clean install